IIA CIA Fraud Risks and Controls

Copyright These materials are copyrighted; it is unlawful to copy all or any portion. Sharing your materials with someone else will limit the program’s usefulness. The IIA invests significant resources to create quality professional opportunities for its members. Please do not violate the copyright.

Part 2: Internal Audit Practice Table of Contents Section III: Fraud Risks and Controls Section Introduction Chapter A: Common Types of Fraud and Fraud Risks per Engagement Area Chapter Introduction Topic 1: Define and Introduce Fraud (Level A) Topic 2: Identify Common Types of Fraud Associated with the Engagement Area During the Engagement Planning Process (Level P) Topic 3: Consider the Potential for Fraud Risks in the Engagement Area During the Engagement Planning Process (Level P) Chapter B: Assessing Response to Engagement Area Fraud Risks Chapter Introduction Topic 1: Determine if Fraud Risks Require Special Consideration When Conducting an Engagement (Level P) Chapter C: Determining Need for Fraud Investigation Chapter Introduction Topic 1: Determine if Any Suspected Fraud Merits Investigation (Level P) Topic 2: Demonstrate an Understanding of Fraud Investigations (Level A) Chapter D: Process Review for Fraud Controls Improvement Chapter Introduction Topic 1: Complete a Process Review to Improve Controls to Prevent Fraud and Recommend Changes (Level P) Chapter E: Detecting Fraud Chapter Introduction Topic 1: Employ Audit Tests to Detect Fraud (Level P) Topic 2: Use Computer Data Analysis to Detect Fraud (Level P) Chapter F: Culture of Fraud Awareness Chapter Introduction Topic 1: Support a Culture of Fraud Awareness and Encourage the Reporting of Improprieties

(Level P) Chapter G: Interrogation/Investigative Techniques Chapter Introduction Topic 1: Demonstrate an Understanding of Fraud Interrogation/ Chapter H: Forensic Auditing Chapter Introduction Topic 1: Demonstrate an Understanding of Forensic Auditing Techniques (Level A) Bibliography

Section III: Fraud Risks and Controls This section is designed to help you: • Define fraud and the conditions that must exist for fraud to occur. • Identify common types of fraud associated with the engagement area during the engagement planning process. • Consider the potential for fraud risks in the engagement area during the engagement planning process. • Determine if fraud risks require special consideration when conducting an engagement. • Determine if any suspected fraud merits investigation. • Demonstrate an understanding of fraud investigations. • Ensure that the organization and internal audit learn from fraud investigations. • Complete a process review to improve controls to prevent fraud and recommend changes. • Provide examples of fraud risk management controls. • Employ audit tests to detect fraud. • Use computer data analysis to detect fraud, including continuous online monitoring. • Support a culture of fraud awareness, and encourage the reporting of improprieties. • Describe the features of an effective whistleblower hotline. • Demonstrate an understanding of fraud interrogation/investigative techniques. • Demonstrate an understanding of forensic auditing techniques. The Certified Internal Auditor (CIA) exam questions based on content from this section make up approximately 5% to 15% of the total number of questions for Part 2. Some topics are covered at the “A—Awareness” level, meaning that you are responsible for comprehension and recall of information. However, most topics are covered at the “P—Proficiency” level, meaning that you are responsible not only for comprehension and recall of information but also for higher-level mastery, including application, analysis, synthesis, and evaluation.

Section Introduction In its 2012 “Report to the Nations on Occupational Fraud and Abuse,” the Association of Certified Fraud Examiners reported that the average organization lost 5% of its revenues to fraud, or an estimated global total of US $3.5 trillion in losses to fraud. A large portion of those incidents—20% —represented losses of over US $1,000,000. As disturbing as the size of the loss is the fact that reported fraudulent activities usually continued for a median of 18 months before they were uncovered, most often after a tip from an employee within the organization. Only 3% of reported

incidents were uncovered by external audits. These facts suggest that fraud represents a serious risk for most organizations around the world. The internal auditing function can play a major role in managing the organization’s fraud risk by assuring the effectiveness of the organization’s fraud risk management framework and by considering the potential for fraud and the effectiveness of controls during specific assurance engagements. The chapters in this section address the areas of knowledge concerning fraud and fraud audits: • The types of fraud and fraud risks an internal auditor might encounter in different engagements • Assessing fraud risks when conducting an engagement • Determining the need for initiating a fraud investigation • Analyzing processes to improve fraud controls • Tools to detect fraud • Creating a culture of fraud awareness • Interrogation/investigative tools for fraud investigations • Forensic auditing to compile legal evidence

Relevant Standards The supporting role of the internal auditor in detecting fraud is reflected in Attribute Standard 1210.A2, which reads: “Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.” The ability of the internal auditor to detect fraud and assess controls is a necessary component of other standards as well: • Attribute Standard 1220, “Due Professional Care,” requires internal auditors to exercise prudence and competence. Attribute Standard 1220.A1 applies to preparing for engagements by considering the probability of fraud and Attribute Standard 1220.A2 to using technology and data analysis tools to detect fraud. • Performance Standard 2120, “Risk Management,” requires internal auditors to “evaluate the effectiveness and contribute to the improvement of risk management processes.” Standard 2120.A2 states: “The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.” • Performance Standard 2210, “Engagement Objectives,” requires internal auditors to set objectives for each engagement and, in Standard 2210.A2, to “consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.”

Chapter A: Common Types of Fraud and Fraud Risks per Engagement Area Chapter Introduction This chapter focuses on providing a general understanding of fraud itself: what it is in general

and how it may appear in different types of auditing engagements, why it occurs, and how an auditor can consider fraud potential during the engagement preparation process. Fraud risk awareness is discussed in more detail in Part 1, Section II. The IIA also provides educational materials to help the auditor fulfill the requirement to become, and remain, proficient at the level required by the Standards. These materials include related Practice Advisories, Practice Guides and Position Papers, seminars, publications, and links to additional resources. Being sufficiently knowledgeable to notice fraud opportunities and indicators of fraud requires: • Knowing the definition of fraud as it appears in The IIA Glossary or in other authoritative professional or legal sources. • Being able to identify the types of fraud most likely to occur in a specific audit client and being able to assess the client’s level of vulnerability (fraud risk). • Knowing the symptoms of fraud (red flags). The topics in this chapter focus on these knowledge areas.

Topic 1: Define and Introduce Fraud (Level A) Definition of fraud The Standards Glossary defines fraud as “any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.” In 2008, The IIA, in conjunction with the American Institute of Certified Public Accountants (AICPA) and the Association of Certified Fraud Examiners (ACFE) published “Managing the Business Risk of Fraud, A Practical Guide.” It defines fraud as “any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain.” The specific legal definition of fraud may vary by jurisdiction.

Why does fraud occur? Three conditions must exist for fraud to occur—motive, opportunity, and rationalization. Together, these conditions are referred to as the “fraud triangle.” • Motive. Pressure or incentive represents a need that an individual attempts to satisfy by committing fraud. Often, pressure comes from a significant financial need or problem. This may include the need to keep one’s job or earn a bonus. In publicly traded companies, there may be pressure to meet or beat analysts’ estimates. For example, a large bonus or other financial award can be earned based on meeting certain performance goals. The fraudster has a desire to maintain his or her position in the organization and to retain a certain standard of

living to compete with perceived peers. • Opportunity. Opportunity is the ability to commit fraud and not be detected. Since fraudsters do not want to be caught in their actions, they must believe that their activities will not be detected. Opportunity is created by weak internal controls, poor management, or lack of board oversight and/or through the use of one’s position and authority to override controls. Failure to establish adequate procedures to detect fraudulent activity also increases the opportunities for fraud to occur. A process may be designed properly for typical conditions; however, a window of opportunity may arise creating circumstances for the control to fail. Persons in positions of authority may be able to create opportunities to override existing controls because subordinates or weak controls allow them to circumvent the controls. • Rationalization. Rationalization is the ability for a person to justify a fraud, a crucial component in most frauds. It involves a person reconciling his/her behavior (e.g., stealing) with the commonly accepted notions of decency and trust. For example, the fraudster places himself or herself as the priority (self-centered) rather than the well-being of the organization or society as a whole. The person may believe that committing fraud is justified in the context of saving a family member or loved one so he/she can pay for high medical bills. Other times, the person simply labels the theft as “borrowing” and intends to pay the stolen money back at a later time. Some people will do things that are defined as unacceptable behavior by the organization yet are commonplace in their culture or were accepted by previous employers. As a result, they can rationalize their behavior by thinking that the rules don’t apply to them.

Special considerations for detecting and investigating fraud Fraud is an area where the services of outside experts are often retained. The internal auditor’s responsibilities for detecting fraud during engagements include: • Considering fraud risks in the assessment of control design and determination of audit steps to perform. • Have sufficient knowledge of fraud to identify red flags indicating that fraud may have been committed. • Being alert to opportunities that could allow fraud, such as control weaknesses. • Evaluating the indicators of fraud and deciding whether any further action is necessary or whether an investigation should be recommended. • Notifying the appropriate authorities within the organization if a determination is made that fraud has occurred to recommend an investigation.

Topic 2: Identify Common Types of Fraud Associated with the Engagement Area During the Engagement Planning Process (Level P) It is not the intent of this discussion to list the myriad types of fraud and red flags for fraud. The IIA publication Effective Fraud Detection and Prevention Techniques Practice Set by Hubert D. Glover and James C. Flag provides many specific examples of both. There is additional

information on The IIA’s Web site, and more information is available through other resources that can help internal auditors understand common types of fraud and potential red flags. Ultimately, the specific nature of the engagement and the less tangible but equally important judgment skills of the internal auditor help to identify the relevant types of fraud and red flags for inquiry. Let’s consider an example of a routine internal audit of the purchasing function that Glover and Flag describe in Effective Fraud Detection and Prevention Techniques Practice Set for an overview of fraud applied to a specific engagement. Background and risks Purchasing represents an activity where liabilities and commitments to expend cash are incurred. Fraud risks include unauthorized expenditures, illegal or corrupt procurement activities, and inefficient operations. Engagement objectives In considering these risks, the audit objectives are to: • Authorize vendors in accordance with management’s criteria. • Determine if purchases eligible for competitive bids are reviewed and authorized. • Ensure that goods received are properly reflected in purchasing and shipping records and receiving reports are independently verified. • Verify that liabilities incurred are properly recorded and updated upon cash disbursement and purchasing-related adjustment. Audit scope The audit of the purchasing function will primarily focus on the duties performed by the purchasing function. However, the internal auditor will have to interface with other functions such as receiving or accounts payable as deemed appropriate to verify the existence of controls. Red flags Fraud red flags in this case could include the following: • Turnover among purchasing department buyers that significantly exceeds attrition rates in other areas of the organization • Purchasing order proficiency rates that fluctuate significantly among buyers with comparable workloads • Dramatic increases in purchase volumes per certain vendors that are not justified by competitive bidding or changes in production specifications • Unaccounted purchase order numbers or physical loss of purchase orders • Rise in the cost of routine purchases that exceed the inflation rate • Unusual purchases not consistent with the categories identified by prior trends or operating budget

Topic 3: Consider the Potential for Fraud Risks in the Engagement Area During the Engagement Planning

Process (Level P) Be knowledgeable of the risk factors and red flags of fraud Consideration must be given during the planning phase to the potential for fraud in the proposed area of inquiry. While internal auditors are not expected to be experts in fraud, they are expected to understand enough about internal controls to identify opportunities for fraud. They should also understand fraud schemes and scenarios as well as be aware of the signs that point to fraud and how to prevent them. Internal auditors may gain this knowledge through training, certification programs, experience, and self-study. One source of information concerning risk factors and red flags is “Managing the Business Risk of Fraud, A Practical Guide,” mentioned earlier. The IIA book store also contains many reference publications on the subject. Fraud risk All organizations are exposed to a degree of fraud risk in any process where human input is required. The degree to which an organization is exposed relates to the fraud risks inherent in the business, the extent to which effective internal controls are present either to prevent or detect fraud, and the honesty and integrity of those involved in the process. Fraud risk is the probability that fraud will occur and the potential severity or consequences to the organization when it occurs. The probability of a fraudulent activity is based, typically, on how easy it is to commit fraud, the motivational factors leading to fraud, and the company’s fraud history. Fraud triangle The fraud triangle, discussed in the first topic of this chapter, can help internal auditors gauge the potential for fraud in a specific engagement area: • Motive. Could employees in the area be motivated to commit fraud? For example, are morale problems well known? Are employees underpaid relative to the local market or industry? Are employees under unusual stress to perform—for example, to meet certain cost parameters? • Opportunity. Do employees have opportunity to commit fraud? For example, do processes include reasonable controls against fraud? Is management supervision adequate? Is there high turnover that might make detection more difficult? Are processes so complex or highly automated that detection would be challenging? • Rationalization. Does the culture in the organization or in the engagement area encourage a certain amount of ethical laxity? Fraud red flags An internal auditor also needs to understand fraud indicators—signs that indicate both the inadequacy of controls in place to deter fraud and the possibility that some perpetrator has already overcome these weak or absent controls to commit fraud. Such indicators are referred to as red flags. Fraud red flags may surface at any stage of the internal audit. Red flags are only warning signs; they are not proof that fraud has been committed. However, they serve an

important function during planning to direct the internal auditor’s attention to questionable areas and/or activities. Identification of red flags directs the scope of current and subsequent audit steps until sufficient evidence is gathered to form an objective conclusion regarding the existence of fraud. The occurrence of red flags combined with other corroborating audit evidence provides an effective detection technique. There are several general tenets that apply in fraud detection. Consider these examples. • A good system of internal controls is likely to expose irregularities perpetrated by a single individual without the aid of others. • A group has a better chance of perpetrating fraud than does a single individual. • Management can often override controls, singularly or in groups.

Design appropriate engagement steps to address significant risk of fraud When planning the audit, the auditor should determine the most likely fraud risks associated with the audit customer’s mission, markets, culture, operations, staff, and management. After identifying these, the auditor can design appropriate engagement steps to determine whether controls are in place to prevent the fraud occurrence or whether those types of frauds are occurring. Effectively identifying fraud risks specific to a particular client requires thinking like a criminal—asking yourself, “If I were managing or working in this organization, what sorts of fraud might I be tempted to commit on behalf of the organization or to its detriment (and my gain)? And if I decided to commit that fraud, how would I carry it out with greatest likelihood of success?” When assessing the fraud risk in an audit client, the internal auditor should use the organization’s own model for risk management, such as the COSO model. The internal auditor should also factor cost and benefit considerations into account. No organization can be 100% free of fraud risk. Controls should be designed to reduce fraud risk to a reasonably small amount in relation to the investment required and the consequences they prevent. A million-dollar program to reduce pencil theft is unlikely to pass the cost-benefit test. Design steps appropriate to conditions In planning the audit, the auditor should consider the specific environment of the engagement and its vulnerabilities to fraud. For example, managers will have different temptations from staff and will also have access to different opportunities. People working as mortgage lenders in a bank will be tempted in different ways from computer programmers in the same organization—and will likely have access to different methods of carrying out their kind of fraud. Employees in a retail establishment will have different temptations and options than employees in pharmaceutical research organizations. Different types of processes also present different opportunities for fraud and red flags. For example, the types of activities the internal auditor should watch for when auditing an e-

commerce operation include: • Unauthorized movement of money (e.g., transfers to jurisdictions where the recovery of funds would be difficult). • Duplication of payments. • Denial of orders placed or received, goods received, or payments made. • Exception reports and procedures and effectiveness of the follow-up. • Digital signatures. (Are they used for all transactions? Who authorizes them? Who has access to them?) • Protections against viruses and hacking activities (history file, use of tools). • Access rights. (Are they reviewed regularly? Are they promptly revised when staff members are changed?) • History of interception of transactions by unauthorized persons. Seek authority to take the necessary engagement steps While the Standards mandate that the internal auditor should carry out engagements with proficiency and due professional care, they also recognize that management, too, bears responsibilities in this regard. (The Sarbanes-Oxley Act also assigns to senior management personal responsibility for establishing controls to prevent fraud and for reporting any that comes to their attention.) According to Sawyer, et al., management is not only responsible for creating a moral atmosphere in the organization (“tone at the top”) and for developing adequate controls but must also grant the auditor certain authorities, without which the auditor cannot be held responsible for detecting signs of fraud. Specifically, the internal auditor must have authority to: • Review and comment on annual reports. • Audit all consulting arrangements. (Contract work is especially prone to generating overcharges. Contracts should include a right-to-audit clause.) • Analyze the organization’s procedures. • Review transactions approved by executives. • Have access to the board of director’s actions. • Review transactions with subsidiaries and associated organizations. • Test documentation supporting financial reports. • Monitor compliance with the organization’s record retention policies. • Ask managers about political contributions, etc. • Review expense accounts. • Monitor the conflict-of-interest policy.

Chapter B: Assessing Response to Engagement Area Fraud Risks Chapter Introduction This chapter applies the enterprise risk management model to planning the audit engagement. The auditor considers the potential for fraud in the audited process or area, weighs its priority against the organization’s objectives and the engagement’s budget, and plans the audit accordingly.

Topic 1: Determine if Fraud Risks Require Special Consideration When Conducting an Engagement (Level P) To assess fraud risk, internal auditors should use the organization’s enterprise risk management model, if one is available. Otherwise, auditors should try to understand the specific fraud schemes that could threaten the organization. A risk model maps and assesses the organization’s vulnerability to fraud schemes, covering all inherent risks to the organization. The model should use consistent categories (i.e., there should be no overlap between risk areas) and should be detailed enough to identify and cover anticipated high-risk areas. COSO’s enterprise risk management framework provides a useful model that includes sections on: • Event identification, such as brainstorming activities, interviews, focus groups, surveys, industry research, and event inventories. • Risk assessments, including probabilities and consequences. • Risk response strategies, such as treating, transferring, tolerating, or terminating risk. • Control activities, such as linking risks to existing anti-fraud programs and control activities and validating their effectiveness. • Monitoring, including audit plans and programs that consider residual fraud and risk due to misconduct. The evaluation should consider whether fraud could be committed by an individual or requires collusion. Considerations also should be made regarding the negative effects of unjustly suspecting employees or giving the appearance that employees are not trusted.

Fraud risk assessment Risk assessment (also known as risk analysis) is the identification and measurement of risk and the process of prioritizing risk. COSO tells us that specific to fraud, a risk assessment evaluates management’s fraud risk assessment, in particular their process for identifying, assessing, and testing potential fraud misconduct schemes and scenarios that could involve suppliers, contractors, and other parties. The fraud risk assessment process is a critical activity in establishing a basis to design and implement anti-fraud programs and risk control activities. Internal Auditing: Assurance and Consulting Services lists the following characteristics of effective fraud risk assessment: • Performed on a systematic and recurring basis • Considers possible fraud schemes and scenarios, including consideration of internal and external factors • Assesses risk at a company-wide, significant business unit, and significant account level • Evaluates the likelihood, significance, and pervasiveness of each risk • Assesses exposure arising from each category of fraud risk by identifying mitigating control activities and considering their effectiveness

• Is performed with the involvement of appropriate personnel • Considers management override of controls (i.e., nonroutine transactions and journal entries or temporary suspension of controls) • Is updated when special circumstances arise (i.e., mergers and acquisitions and new systems)

Judgment skills The final determination of whether or not the risk of fraud warrants special consideration when conducting the engagement involves the internal auditor’s judgment skills. This mental attitude or judgment is a combination of the internal auditor’s analytical skills and all information related to the organization to determine if internal control weaknesses exist and signal the potential for fraud activity. Armed with this information, the internal auditor can respond accordingly in planning the engagement.

Chapter C: Determining Need for Fraud Investigation Chapter Introduction It is the task of the internal auditor to be one of the “early warning systems” of the organization— to detect the indicators of fraud. However, a complete fraud examination is a serious and potentially costly undertaking, since it may culminate in legal proceedings and may require the assembly of a full fraud investigation team to identify evidence that can meet demanding legal criteria. Any fraud case also carries the potential of legal liability for the organization if the charges cannot be proven. Although the internal auditor is not expected to have the level of expertise required to perform fraud investigations, internal auditors do play an important role in these investigations. The internal auditor assists members of the organization in the effective discharge of their responsibilities by furnishing them with analyses, appraisals, recommendations, counsel, and information concerning the activities reviewed. To be better prepared to support fraud investigations, internal auditors should be aware of how investigations are conducted.

Topic 1: Determine if Any Suspected Fraud Merits Investigation (Level P) Organizations investigate possible fraud when there is a concern or suspicion of wrongdoing within the organization. Suspicion can result from a formal complaint process, an informal complaint process such as a tip, or an audit, including an audit designed to test for fraud. Investigating a fraud is not the same as auditing for fraud, which is an audit designed to proactively detect indications of fraud in those processes or transactions where analysis indicates the risk of fraud to be significant. If significant control weaknesses are detected, additional tests conducted by internal auditors should be directed at identifying other fraud indicators. The internal auditor should: • Recognize that the presence of more than one indicator at any one time increases the

probability that fraud has occurred. • Evaluate the indicators of fraud and decide whether any further action is necessary or whether an investigation should be recommended. • Notify the appropriate authorities within the organization if a determination is made that fraud has occurred to recommend an investigation. In addition, it is the responsibility of the internal auditor to support further investigation by providing sound data and by ensuring that the suspected perpetrators are not alerted prematurely to the investigation.

Maintaining continuity When fraud is suspected, the internal auditor will, in most cases, refer the case to the chief audit executive, who will secure appropriate resources for further investigation—for example, a certified fraud examiner or an IT security specialist. The internal auditor plays an important role in transitioning to a fraud investigation. The succeeding auditor/investigator should be briefed on fraud risks in the engagement, red flags noticed, fraud tests implemented to date, and preliminary findings. Internal auditors assigned to an engagement should be similarly prepared to discuss specific concerns about suspected fraud with a successor in the event that the audit must be handed off to a colleague before definite conclusions can be reached. The potential impact of fraud is too great to risk losing critical focus during staffing transitions.

Topic 2: Demonstrate an Understanding of Fraud Investigations (Level A) A fraud investigation consists of gathering sufficient information about specific details and performing the procedures necessary to determine whether fraud has occurred, the loss or exposures associated with the fraud, who was involved, and how it happened. An important outcome of investigations is that innocent persons are cleared of suspicion. Investigations attempt to discover the full nature and extent of the fraudulent activity, not just the event that may have initiated the investigation. Investigation work includes preparing, documenting, and preserving evidence sufficient for potential legal proceedings. Internal auditors, lawyers, investigators, security personnel, and other specialists from inside or outside the organization usually conduct or participate in fraud investigations. Investigations and the related resolution activities need to be carefully managed in accordance with laws. Local laws may direct how and where investigations are conducted, disciplinary and recovery practices, and investigative communications. It is in the best interest of the company, both professionally and legally, to work effectively with the organization’s legal counsel and to become familiar with the relevant laws in the country in which the fraud investigation occurs.

According to Sawyer’s Internal Auditing, the objectives of a fraud investigation are: • First and foremost, to protect the innocent, establish the facts, resolve the matter, and clear the air. • To determine the basic circumstances quickly to stop the loss as soon as possible. • To establish the essential elements of the crime to support a successful prosecution. • To identify, gather, and protect evidence. • To identify and interview witnesses. • To identify patterns of actions and behavior. • To determine probable motives that often will identify potential suspects. • To provide accurate and objective facts upon which judgments concerning discipline, termination, or prosecution may be based. • To account for and recover assets. • To identify weaknesses in control and counter them by revising existing procedures or recommending new ones and by applying security equipment when justified.

Investigation process Management is responsible for developing controls for the investigation process, including policies and procedures for effective investigations, preserving evidence, handling the results of investigations, reporting, and communications. Such standards are often documented in a fraud policy; internal auditors may assist in the evaluation of the policy. Such policies and procedures need to consider the rights of individuals, the qualifications of those authorized to conduct investigations, and the relevant laws where the frauds occurred. The policies should also consider the extent to which management will discipline employees, suppliers, or customers, including taking legal measures to recover losses and civil or criminal prosecution. It is important for management to clearly define the authority and responsibilities of those involved in the investigation, especially the relationship between the investigator and legal counsel. It is also important for management to design and comply with procedures that minimize internal communications about an ongoing investigation, especially in the initial phases. The policy needs to specify the investigator’s role in determining whether a fraud has been committed. Either the investigator or management will decide if fraud has occurred, and management will decide whether the organization will notify outside authorities. A judgment that fraud has occurred may in some jurisdictions be made only by law enforcement or judicial authorities. The investigation may simply result in a conclusion that organization policy was violated or that fraud is likely to have occurred.

The role of internal audit The role of the internal audit activity in investigations needs to be defined in the internal audit charter as well as in the fraud policies and procedures. For example, internal auditing may have the primary responsibility for fraud investigations or may act as a resource for investigations. Internal auditing may also refrain from involvement in investigations because they are responsible for assessing the effectiveness of investigations or they lack the appropriate resources. Any of these roles can be acceptable as long as their impact on internal auditing’s

independence is recognized and handled appropriately. To maintain proficiency, fraud investigation teams have a responsibility to obtain sufficient knowledge of fraudulent schemes, investigation techniques, and applicable laws. There are national and international programs that provide training and certification for investigators and forensic specialists. If the internal audit activity is responsible for the investigation, it may conduct an investigation using in-house staff, out-sourcing, or a combination of both. In some cases, internal audit may also use non-audit employees of the organization to assist. It is often important to assemble the investigation team without delay. If the organization is likely to need external experts, the CAE may prequalify the service provider(s) so external resources are quickly available when needed. In organizations where primary responsibility for the investigation function is not assigned to the internal audit activity, the internal audit activity may still be asked to help gather information and make recommendations for internal control improvements, such as: • Monitoring the investigation process to help the organization follow relevant policies and procedures and applicable laws and statutes. • Locating and/or securing misappropriated or related assets. • Supporting the organization’s legal proceedings, insurance claims, or other recovery actions. • Evaluating and monitoring the organization’s internal and external post-investigation reporting and communication plans and practices. • Monitoring the implementation of recommended control enhancement.

Conducting the investigation An investigation plan is developed for each investigation, following the organization’s investigation procedures or protocols. The lead investigator determines the knowledge, skills, and other competencies needed to carry out the investigation effectively and assigns competent, appropriate people to the team. This process includes obtaining assurance that there is no potential conflict of interest with those being investigated or with any of the employees in the organization. The plan should consider the following investigative activities: • Gathering evidence through surveillance, interviews, or written statements • Documenting and preserving evidence, considering legal rules of evidence and the business uses of the evidence • Determining the extent of the fraud • Determining the techniques used to perpetrate the fraud • Evaluating the cause of the fraud • Identifying the perpetrators At any point during this process, the investigator may conclude that the complaint or suspicion was unfounded. The investigator then follows the organization’s process to close the case.

Obtaining evidence The collection and preparation of evidence is critical to understanding the fraud or misconduct, and it is needed to support the conclusions reached by the investigation team. The investigation team may use computer forensic procedures or computer-assisted data analysis based on the nature of the allegations, the results of the procedures performed, and the goals of the investigation. All reports, documents, and evidence obtained should be recorded chronologically in an inventory or log. Some examples of evidence include: • Letters, memos, and correspondence, both in hard copy or electronic form (such as e-mails or information stored on personal computers). • Computer files, general ledger postings, or other financial or electronic records. • IT or system access records. • Security and time-keeping logs, such as security camera videos or access badge records. • Internal phone records. • Customer or vendor information, both in the public domain and maintained by the organization, such as contracts, invoices, and payment information. • Public records, such as business registrations with government agencies or property records. • News articles and internal and external Web sites such as social networking sites.

Interviewing and interrogating The investigator will interview individuals such as witnesses and facilitating personnel with the goal of gathering evidence to support a suspicion that fraud may be occurring and/or establish the scope of fraud activity and the degree of complicity in the fraud. Many investigators prefer to approach the accused with sufficient evidence that will support the goal to secure a confession. Generally the accused is interrogated by two people: 1) an experienced investigator and 2) another individual who takes notes during the interrogation and later functions as a witness if needed. In addition, it is essential that all information obtained from the interrogation is rendered correctly. The differences between interviews and interrogations and the techniques appropriate to each are discussed in Chapter G later in this section. Investigative activities need to be coordinated with management, legal counsel, and other specialists such as human resources and insurance risk management as appropriate throughout the investigation. Investigators need to be knowledgeable and cognizant of the rights of persons within the scope of the investigation and the reputation of the organization itself. The investigator has the responsibility to ensure that the investigation process is handled in a consistent and prudent manner. The level and extent of complicity in the fraud throughout the organization needs to be assessed. This assessment can be critical to not destroy or taint crucial evidence and to avoid obtaining

misleading information from persons who may be involved. The investigation needs to adequately secure evidence collected, maintaining chain-of-custody procedures appropriate for the situation.

Reporting investigation results Reporting fraud investigations consists of the various oral, written, interim, or final communications to senior management and/or the board regarding the status and results of fraud investigations. Reports can be preliminary and ongoing throughout the investigation. A written report or other formal communication may be issued at the conclusion of the investigation phase. It may include the reason for beginning the investigation, time frames, observations, conclusions, resolution, and corrective action taken (or recommendations) to improve controls. Depending on how the investigation was resolved, the report may need to be written in a manner that provides confidentiality for some of the people involved. In writing the report, the investigator should consider the needs of the board and management while complying with legal requirements and restrictions and the organization’s policies and procedures. Some additional considerations concerning fraud reporting are: • Submitting a draft of the proposed final communications to legal counsel for review. In cases where the organization is able to invoke attorney-client privilege and has chosen to do so, the report is addressed to legal counsel. • Notifying senior management and the board in a timely manner when significant fraud or erosion of trust occurs. • Considering the effect on financial statements. The results of a fraud investigation may indicate that fraud had a previously undiscovered adverse effect on the organization’s financial position and its operational results for one or more years for which financial statements have already been issued. Senior management and the board need to be informed of such a discovery so they can decide on the appropriate reporting, usually after consulting with the external auditors. If the internal audit activity conducts the investigation, Standard 2400, “Communicating Results,” provides information applicable to necessary engagement communications. As specified in this standard, distribution of investigation results should be appropriately limited and information should be treated in a confidential manner. Practice Advisory 2440-2 notes that information regarding fraud comes under the category of “matters that may adversely impact the organization’s reputation, image, competitiveness, success, viability, market values, investments and intangible assets, or earnings.” In addition, communication of results should take care to protect internal whistleblowers. This will help create an atmosphere in which future whistleblowers feel less vulnerable to pressures and repercussions from within the organization. Without these protections, whistleblowers may feel that it is safer to take sensitive information to outside bodies first. This hinders the organization’s ability to conduct its own investigations and take corrective actions.

In the case of fraud, local laws may accelerate communication of investigation reports to the board and may require reporting to local authorities as well.

Resolution of fraud incidents Resolution consists of determining what actions will be taken by the organization once a fraud scheme and perpetrator(s) have been fully investigated and evidence has been reviewed. Management and the board are responsible for resolving fraud incidents, not the internal audit activity or the investigator. An important decision at this stage is whether to prosecute the wrongdoer. This decision is made by management and the board, usually based on the input of legal counsel. While internal auditors do not make these decisions, they may indicate to management and the board that prosecutions discourage future fraud by reinforcing the repercussions of fraudulent behavior and thus serve as a fraud deterrent. Resolution may include all or some of the following: • Providing closure to persons who were initially under suspicion but were found to be innocent • Providing closure to those who reported a concern • Disciplining an employee in accordance with the organization’s policies, employment legislation, or employment contracts • Requesting voluntary financial restitution from an employee, customer, or supplier • Terminating contracts with suppliers • Reporting the incident to law enforcement, regulatory bodies, or similar authorities; encouraging them to prosecute the fraudster; cooperating with their investigation and prosecution • Entering into civil litigation or similar legal processes to recover the amount taken • Filing an insurance claim • Filing a complaint with the perpetrator’s professional association • Recommending control enhancements

Communication by the board and senior management Management or the board determines whether to inform entities outside the organization after consultation with individuals such as legal counsel, human resources personnel, and the CAE. The organization may have a responsibility to notify government agencies of certain types of fraudulent acts. These agencies include law enforcement, regulatory agencies, or oversight bodies. Additionally, the organization may be required to notify the organization’s insurers, bankers, and external auditors of instances of fraud. Any comments made by management to the press, law enforcement, or other external parties are best coordinated through legal counsel. Typically, only authorized spokespersons make external announcements and comments. Internal communications are a strategic tool used by management to reinforce its position relating to integrity, to demonstrate that it takes appropriate action (including prosecution, if appropriate) when organizational policy is violated, and to show why internal controls are important. Such

communications may take the form of a newsletter article or a memo from management, or the situation may be used as an example in the organization’s fraud training program. These communications generally take place after the case has been resolved internally, and they do not specify the names of perpetrators or other specific investigation details that are not necessary for the message or that contravene laws. An investigation and its results may cause significant stress or morale issues that may disrupt the organization, especially when the fraud becomes public. Management may plan employee sessions and/or team-building strategies to rebuild trust and camaraderie among employees.

Lessons learned After the fraud has been investigated and communicated, it is important for management and the internal audit activity to step back and consider the lessons learned. For example: • How did the fraud occur? • What controls failed? • What controls were overridden? • Why wasn’t the fraud detected earlier? • What red flags were missed by management? • What red flags did internal audit miss? • How can future frauds be prevented or more easily detected? • What controls need strengthening? • What internal audit plans and audit steps need to be enhanced? • What additional training is needed? The dynamic feedback within these sessions needs to stress the importance of acquiring up-todate information on fraudsters and fraud schemes that can help internal auditors and the anti-fraud community engage in best practices to prevent losses. Internal auditors typically assess the facts of investigations and advise management relating to remediation of control weaknesses that lead to the fraud. Internal auditors may design steps in audit programs or develop “auditing for fraud” programs to help disclose the existence of similar frauds in the future.

Chapter D: Process Review for Fraud Controls Improvement Chapter Introduction The goal of the process review is to ensure that the existing controls are achieving their objectives—that all risks have been identified and controlled to the level required by the organization’s risk attitude—and to identify opportunities for improving fraud controls.

Topic 1: Complete a Process Review to Improve Controls to

Prevent Fraud and Recommend Changes (Level P) The process review may occur as the focus of one engagement within the audit plan—an individual engagement within the annual audit plan designed to review, analyze, and improve the current fraud risk management framework. It may also be included as one objective of an individual engagement, if the audited area or process is considered vulnerable to some manner of fraud. Applied to the area of auditing for fraud controls, process review implies that, in the course of an assurance engagement, the internal auditor will: • Review the risk assessment to identify risks that have not been identified. • Assess whether controls are in place—according to an analysis of the degree of likelihood and impact of a fraud scenario and according to the organization’s risk attitude—to prevent or mitigate fraud. • Gather evidence to establish whether fraud controls are operating as defined. • Propose ways to improve fraud controls in the program, audited area, or process. For example, an internal auditor may note that it is possible for some cash transactions to go unrecorded in a retail environment, such as small rental fees for equipment or space at a sports facility. There may be no controls in place or only very weak controls. After assessing the potential for loss by fraud, the internal auditor may recommend various controls, ranging from policy (“Cash transactions must be documented in a manner that will allow reconciliation”) to procedure (implementation of rental logs and numbered customer receipts) to collection of benchmarking data (typical levels of equipment/space rentals and resulting income).

Auditing the fraud risk management program The audit plan may include an engagement to audit the risk management, internal control, and governance activities in regard to fraud—the fraud risk management program. The components of a fraud risk management program are described in “Managing the Business Risk of Fraud, A Practical Guide,” which states: Only through diligent and ongoing effort can an organization protect itself against significant acts of fraud. Key principles for proactively establishing an environment to effectively manage an organization’s fraud risk include: Principle 1: As part of an organization’s governance structure, a fraud risk management program should be in place, including a written policy (or policies) to convey the expectations of the board of directors and senior management regarding managing fraud risk. Principle 2: Fraud risk exposure should be assessed periodically by the organization to identify specific potential schemes and events that the organization needs to mitigate. Principle 3: Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization.

Principle 4: Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized. Principle 5: A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and timely. Internal auditors usually consider fraud risks and controls during audit engagements, covering issues in Principles 2, 3 and 4. An audit of the organization’s fraud risk management program takes a macro approach and ensures coverage of activities named in Principles 1 through 5. Additional areas to evaluate may include: • Board roles, responsibilities, and oversight activities. • Fraud statistics and performance measures. • The ethics culture and opinions of stakeholders. • Compliance reporting functions. • The effectiveness of corrective action (recovery of losses, disciplinary action, identification and improvement of control weaknesses).

Fraud risk management framework controls Fraud prevention and mitigation encompasses those actions taken to discourage fraud and limit fraud exposure when it occurs. Strong safeguarding controls and an anti-fraud program are proven fraud deterrents. As with other internal controls, management has the primary responsibility for establishing and maintaining the fraud controls. The AICPA, in its publication “Management Antifraud Programs and Controls,” tell us that organizations need to take three fundamental actions: • Create a culture of honesty and high ethics. • Evaluate anti-fraud processes and controls. • Develop an appropriate oversight process. Creating a culture of fraud awareness is discussed later in this section, in Chapter F. In addition to cultural controls, specific controls can be designed to meet the fraud risks in different types of functions and processes. Exhibit III-1 applies the five COSO control components to the task of fraud risk management. Exhibit III-1: COSO Fraud Prevention and Control and the Internal Audit Activity

Whether an organization uses the COSO control framework or another framework, the key components in creating a culture of fraud awareness are setting a tone of honesty and integrity, developing a strong code of conduct and ethics policy, and clearly communicating it to all employees. Then the risks must be identified and quantified according to the probability of occurrence and their potential impact. With these elements in place, internal auditors can examine and evaluate the adequacy and effectiveness of their internal controls system commensurate with the extent of a potential exposure within the organization.

Chapter E: Detecting Fraud Chapter Introduction A program to detect fraud results from the realization that, in most cases, fraud cannot be entirely prevented. Fraud detection controls aim at uncovering actions or events that could be symptomatic of fraud, such as reconciling vendor payments with purchase orders, invoices, vendor information (e.g., address on file), and employee personal national identification number (e.g., a Social Security number in the US or a resident identity card in China). Detection controls can be passive or active. A passive fraud detection example would be a whistleblower program that facilitates reporting of fraud by employees, while an active detection control would be an analytic test performed during an audit. They can be performed periodically, during an assurance

audit engagement, or applied continually, which may provide a much shorter time frame for detection. As stated earlier, in the 2012 “Report to the Nations,” the ACFE reported that the median length of time for a fraudulent activity was 18 months. For significant fraud risks, detecting fraud can be especially important. This chapter focuses on different ways to detect fraud.

Topic 1: Employ Audit Tests to Detect Fraud (Level P) When the internal auditor discovers an indication that fraud might have occurred or that control systems are weak in some particular area, the auditor should design further tests to uncover other indicators of fraud. Analytical procedures used to detect fraud include trend analysis and proportional analysis. (Using computer-based data analysis is discussed in the next topic.) Trend and proportional analysis require that the internal auditor have an adequate understanding of the business being audited, both in terms of activity levels and in the relationships between activities.

Trend analysis Reasoning that related activities will show consistent trends unless some factor disrupts the relationship, an auditor may analyze trend data to see if any such disruptions have occurred. After finding such a disruption, the auditor will do further research to identify a cause. Sometimes the cause of a breakdown in trends turns out to be fraud. For example, a study of trends in sales and freight costs could reveal a much faster rate of increase in freight costs than in sales. Since the costs of shipping materials and goods should be directly related to the amount of goods produced and sold, the auditor initiates an investigation, uncovering a pattern of recording false shipments and pocketing the resulting expenditures.

Proportional analysis Proportional analysis is another way of comparing related pieces of data. Instead of tracking the data’s trends, however, the auditor using proportional analysis determines the ratio of one to the other to see if it is reasonable and matches expectations. For example, instead of doing a trend analysis of data over the long term, the auditor in the previous analysis might (perhaps more simply) determine the ratio of the number of shipments based upon sales and the number of shipments based upon freight costs. If the organization is paying for more shipments than is necessary to get product to buyers, then the ratio would be unreasonable. Another example demonstrates the application of proportional analysis. An auditor conducting an engagement at a brewery compares the cost of hops against the annual output of beer and discovers that the brewery is paying for twice the amount of hops required by its output. Investigation determines that the treasurer is diverting the excess hops to another brewery in which he is an investor.

Topic 2: Use Computer Data Analysis to Detect Fraud

(Level P) The use of computers in auditing has given the internal auditor greater power to verify large numbers of transactions. The computer can compare transactions with the events they effect to highlight unusual conditions, which can then be studied to determine whether they are tied to fraud or some other, perhaps more benign, explanation. Consider the following comparisons: • Sales of manufactured products to labor and materials costs (Run in one direction, this comparison might highlight nonexistent sales; run backward, it might indicate fraudulent materials or labor costs.) • Purchases with increases in inventories or sales • Payroll costs with employee payroll tax reports These analytical tests do not prove fraud—or another causal mechanism. They simply identify anomalies worth investigating to find an explanation; one explanation could be fraud. Audit departments should consider these various techniques when applying technology to fraud detection: • Calculation of statistical parameters (e.g., averages, standard deviations, highest and lowest values)—to identify outlying transactions that could be indicative of fraudulent activity • Classification—to find patterns and associations among groups of data elements • Stratification of numeric values—to identify unusual (i.e., excessively high or low) values • Digital analysis using Benford’s Law—to identify statistically unlikely occurrences of specific digits in randomly occurring data sets (Benford’s Law is covered later in this topic.) • Joining different data sources—to identify inappropriately matching values such as names, addresses, and account numbers in disparate systems • Duplicate testing—to identify simple and/or complex duplications of business transactions such as payments, payroll, claims, or expense report line items • Gap testing—to identify missing numbers in sequential data • Summing of numeric values—to check control totals that may have been falsified • Validating data entry dates—to identify postings or data entry times that are inappropriate or suspicious According to a 2008 white paper by ACL Services Ltd., to maximize the effectiveness of data analysis in fraud detection, the technology employed should enable auditors to: • Compare data and transactions from multiple IT systems (and address control gaps that often exist within and between systems). • Work with a comprehensive set of fraud indicators. • Analyze all transactions within the target area. • Perform the fraud detection tests on a scheduled basis and provide timely notification of trends, patterns, and exceptions. Critical to the analysis of data is the establishment of normal values for comparative purposes.

The first step in preparing to detect fraudulent deviations is defining a baseline. For example, having a five-year history of inventory or sales levels will help internal auditors identify unusual increases in inventory that may indicate theft of company property or year-end increases in sales that could be channel stuffing. (Channel stuffing is the practice of inflating sales figures by forcing more products through a distribution channel than the channel can actually sell. The excess goods are returned in a later financial reporting period.) Benchmarks may be created from internal data or may be purchased from industry research organizations. We will describe here two types of analysis—numerical analysis and regression analysis—and two auditing tools for information systems.

Numerical analysis Most auditing programs performing numerical analysis are based on Benford’s Law, a probability principle using observations about the frequency of occurrence of the leading digit in a series of numbers. In the 1920s physicist Frank Benford noticed that the first few pages of his book of logarithm tables were much more worn from use than the last pages. He went on to observe geographical, scientific, and demographic data and deduced that, in sets of numbers, the number one will appear as the leading digit about 60% of the time. The numbers must be describing size of similar phenomena (e.g., number of transactions or sizes of payments), must not be assigned according to some set of rules (like ZIP codes or payment codes), and must not have an inherent minimum or maximum value (e.g., legally specified amounts, like minimum wage). Larger numbers appear in the leading digit position in indirect proportion to their size, so that the number nine appears in the leading position only 5% of the time. Since most people believe that numbers occur randomly, it is possible that an employee committing fraud by, for example, writing checks to a fictitious vendor would choose amounts that violated Benford’s Law. The amounts of the checks may begin an inordinate number of times with more improbable higher numbers. Benford’s Law has been extended to describe probabilities for second numbers and for two- and three-digit sets of numbers. It may also be coupled with other forms of numerical analysis to identify irregularities, such as: • Relative size factor, which determines when the largest number in a group is out of line with the rest of the items. • Same, same, different tests, which search for improbable matches of two of three variables. • Same, same, same tests, which search for identical entries.

Regression analysis Computer programs may also be developed using regression analysis—a statistical modeling tool used to find relationships between a dependent variable (e.g., an unauthorized payment) and one or more independent variables (e.g., the number of checks issued, vendors paid, vendors paid at the same address as an employee address, payments made below a certain threshold). A

program might correlate expense claims with events associated with travel or with a calendar to spot unreasonably frequent travel or travel that could not be associated with the stated purpose.

Enterprise auditing Some software tools have been developed to build data analysis models and then apply them across an integrated enterprise management system. These enterprise management systems are useful in large organizations. They provide the means to coordinate various areas of control, analysis, and information storage throughout what is often a physically decentralized organization, like a multinational company or a vertically organized company with multiple manufacturing divisions, marketing, sales, research and development, shipping, customer service, and so on. Data mining refers to the capability of sifting through and analyzing large volumes of data to find certain patterns or associations. Enterprise data mining can be helpful, first, in defining what constitutes a suspicious pattern and, then, in detecting suspicious transactions, like fraudulent wire transfers.

Continuous online auditing Continuous auditing (or continuous monitoring) uses computerized techniques to perpetually audit the processing of business transactions. Continuous online auditing programs edit transactions as or shortly after they occur, looking for transaction details that do not fall within preset parameters or, alternatively, transactions that match the patterns in fraudulent activity. Auditing reports can be generated at time intervals set according to need. An example of an online auditing system is a program that monitors payments being received at a data center. The online auditing program checks to see that each step of the required process for receiving payments is followed. Continuous auditing might be used to compare payment addresses for each payment mailed with a database of employee addresses. This might detect payments to fictitious entities or duplicate payments. Another example is cited in Changing Internal Audit Practices in the New Paradigm: The Sarbanes-Oxley Environment by Glen L. Gray. Gray describes the use of data mining to collect and compare data from a nationwide chain of retail outlets. Automated comparisons of “clear sale” or “no sale” or cash transactions with national averages identified problematic stores in which employees were stealing cash. Continuous auditing provides an effective way of maximizing audit coverage and allowing the internal audit function to focus on exceptions and obtain greater coverage of high-risk areas. In addition, fraud can be detected on a timelier basis. Gray makes the point that while continuous auditing of an entire database provides total assurance and the capture of even small errors and deviations, it offers two other benefits as well. Analysis of the entire database provides legal coverage against charges that sampling might have been discriminatory or misrepresentative. It also improves the ethical environment of the workplace. If employees think there is a greater chance that they will be caught, there are fewer

attempts to commit fraud and a more positive workplace atmosphere. Various publications on the topic and the results of related research projects are available through the IIA, including the following: • Continuous Auditing Potential for Internal Auditors by J. Donald Warren, Jr., and Xenia Ley Parker (2003) • Proactively Detecting Occupational Fraud Using Computer Audit Reports by Richard B. Lanza (2004) • Continuous Auditing: An Operational Model for Auditors by Sally F. Culter (2005) • GTAG 3: “Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment” (2005) Building comprehensive software systems of this nature requires thorough business, system, and analytical techniques. Continuous auditing has been most successful in industries with large volumes of transactions, such as the financial services and retail industries. Although most organizations want to develop continuous monitoring systems, doing so requires the right skill set along with a commitment to implement the program for long-term success. Smaller internal audit functions have to rely on the IT group or draw from other resources outside the internal audit function in order to be successful in implementing continuous auditing.

Chapter F: Culture of Fraud Awareness Chapter Introduction The five fraud risk management principles discussed earlier in this section stress the importance of fraud risk assessment, the establishment of prevention and detection controls, and periodic auditing of fraud risk controls. These principles also emphasize actions that support the creation of a culture of fraud awareness. This soft control—created through clearly communicated and enforced policies, employee training in fraud awareness, and a reporting mechanism for suspected fraud—is continually in place to prevent acts of fraud and to ensure a more rapid detection when fraud is committed. The ACFE’s “Report to the Nations” states that over 43% of occupational frauds were initially detected as the result of a tip—usually by another employee but also by customers, vendors, and others. Management review, internal audit, and monitoring systems are simply not as efficient or effective in detecting fraud as ensuring that employees know what fraud looks and feels like, know what to do when they become aware of fraud, and can easily report fraud without fear of retaliation. The topic in this chapter focuses on the role of whistleblowing in managing fraud risk.

Topic 1: Support a Culture of Fraud Awareness and Encourage the Reporting of Improprieties (Level P) Individuals who report fraud and abuse are commonly referred to as whistleblowers. A

whistleblower is typically an employee, but a former employee or someone outside of an organization may also report fraud or other misconduct. Legitimate whistleblowers who have proof of fraud must have confidence that they will be protected from retaliation. Whistleblower hotlines are the most common mechanism for reporting fraud. Compared to organizations without formal whistleblower hotlines, organizations with hotlines are more likely to detect fraud by receiving tips and are less dependent on accident and external audit to uncover fraud. An effective hotline includes the following features: • Confidentiality or anonymity. Confidentiality and anonymity are not the same thing, and it must be made clear to all concerned whether the information received will be confidential or anonymous. Confidentiality implies that the caller’s name and identity will be communicated only to those with an essential or authorized need to know (e.g., the legal department, human resources, or an investigative unit) and not openly disclosed. Confidentiality can be promised only within the limits allowed by law, and callers should know who might learn their identity. Anonymity provides both secrecy and nondisclosure of the caller’s identity. With full anonymity, the caller’s gender and any other identifying information are also withheld. Promises of anonymity must be kept, and safeguards should be put in place to ensure that the caller’s identity is not disclosed. • Accessibility. A whistleblower hotline must be easily accessible. For telephone hotlines, a toll-free number or an international number that accepts collect calls is best. The hotline number should be available 24 hours a day, seven days a week. There should also be provisions for reporting by e-mail, letter, and fax. Employees should have as many mechanisms as possible for reporting fraud or abuse. • Staffing. Hotlines must be staffed by “real” people (not voice-recorded messaging) who are thoroughly screened and trained. If the hotline is international, skilled translators must be available. • Use of third-party vendors. Although administering a hotline in-house may be adequate, using the services of an independent third-party vendor helps to ensure both the perception and reality that tips will remain confidential or anonymous. • Naming the hotline. Some corporations choose to keep the term “hotline” in the title for their reporting tool (e.g., “Risk Hotline” or “Ethics Hotline”). Other schools of thought recommend using another term for hotline (e.g., “Business Conduct Line”). Whatever name is chosen, it should clearly signify the intent of a quick and direct telephone line. • Communicate the existence. A hotline and fraud reporting system will fail unless all employees and people outside the organization are aware of it. Prominently displaying information about the hotline on the organization’s Web site, the company intranet, and internal postings in public places (e.g., break rooms and cafeterias) are a few ways to publicize the

hotline. • Organizational responses to hotline reports. Quick responses are paramount. They build confidence with potential reporters of fraud and abuse that the organization is committed to ethical behavior and a culture of compliance. The Sarbanes-Oxley Act, the US Federal Sentencing Guidelines for Organizations, and other regulations and laws require accountability and oversight. But embedding fraud awareness within the internal control framework makes even better business sense by promoting zero tolerance for fraud.

Chapter G: Interrogation/Investigative Techniques Chapter Introduction As mentioned previously, internal auditors are expected to be familiar with, but not experts in, fraud investigative techniques. If a specialist in fraud investigations is not available in-house, the CAE may contract with external service providers to perform fraud investigations. This may be particularly necessary when fraud schemes involve multiple perpetrators, computers, security, or complex financial transactions. Attribute Standard 1210.A1 states that: “The CAE must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.” Practice Advisory 1210.A1-1 advises the CAE to consider the service provider’s professional certifications, memberships in professional associations, reputation, experience, and familiarity with the organization’s industry or business. In addition, the CAE must ensure the independence and objectivity of the service provider. This chapter focuses on the particular investigative skill of interrogation. While internal auditors are not expected to conduct interrogations—these are usually conducted by security/loss prevention and law enforcement professionals—internal auditors should be aware of the unique nature of interrogations.

Topic 1: Demonstrate an Understanding of Fraud Interrogation/Investigative Techniques (Level A) Interviewing and interrogating Although the terms “interviewing” and “interrogation” are often used interchangeably, these two activities generally occur in different contexts. They have different goals and, thus, different techniques are used for achieving those goals. Put simply, in an interview, the interviewer doesn’t know the answer to most of the questions he or she is asking. In an interrogation, the interviewer probably already knows the answers to many of the questions that will be asked. The interviewer is seeking an admission of those answers by the perpetrator and any accomplices or evidence of lying and the methods used for committing the fraud.

Key distinctions between interviewing and interrogation are summarized in Exhibit III-2. Exhibit III-2: Comparison of Key Features of Interviewing and Interrogation

Because their role is to detect signs of fraud and establish grounds for further investigation, internal auditors are usually interviewing, rather than interrogating, individuals. Their responsibility is not to seek confessions or establish evidence that can be used in court, unless they are acting in the role of investigator rather than auditor. The task of the internal auditor is to learn enough about the suspicious activity or individual to confirm or eliminate suspicion and then make a recommendation to the auditing department. It is therefore in the best interest of the internal auditor to use discovery techniques that will encourage communication.

Interview behaviors that may be red flags Many writers have described specific behaviors during interviews that may become fraud indicators or red flags or at least signs that the interviewee is lying or withholding information. These interview red flags might include: • Restlessness (frequent shifting of position, standing up, pacing). • Posture (angling the body away from the interviewer). • Reluctance to make eye contact. (Auditors should remember, however, that eye contact is often a culturally determined behavior. In these cases, failure to make eye contact may simply be a sign of courtesy rather than concealment.) • Inappropriate attitudes (ranging from an unusual and immediate level of candor and

friendliness to unfounded hostility or sarcasm). • Signs of anxiety like sighing, perspiring, dry mouth, rubbing hands or face, or rapid and highpitched speech. • Sudden change in attitude about answering questions. • Changes in answers given to questions during the interview. Auditors should remember that these are only indicators of a potential problem, not proof or evidence that fraud has been committed. They may, however, influence the internal auditor’s recommendation for a follow-up fraud audit.

Interviewing model There are various steps internal auditors should follow when conducting interviews in the course of any type of audit. These steps are condensed into the following four phases. • Prepare. This may involve defining the purpose and goals of the interview, gathering background information about the interview subject that may help in establishing rapport and forming questions, preparing specific questions and strategies, and securing an acceptable time and place for the interview. • Conduct the interview. The interviewer should try to follow the plan and not be distracted from the goals that have been set. Additional areas of questioning may develop in the course of the interview, but the auditor should try to accomplish the interview in the time allotted. The auditor should ensure that interviewee statements are clearly understood to be either factual or hearsay (based on another’s experience or on rumor). There should be adequate notes on the content of the interview to produce an accurate, complete report. • Gain agreement with the interview subject. In concluding the interview, the auditor should summarize key points to gain the subject’s confirmation or to correct misunderstandings. • Document the interview. As soon as possible, the interviewer should complete a report of the interview. This is not a transcript but a summary of areas in which questions were asked, key information was received, and information is still lacking. Interview subject attitude should also be described. The report may suggest the next step in the interviewing or investigative process. We have presented a simplified overview of interviewing skills. A fraud-related interrogation will usually be conducted by someone familiar with many more strategies for establishing rapport and comfort that can be used for a range of purposes, from simply assessing truthfulness to gaining evidence or a confession. What is most critical for an internal auditor to know is the difference between interviews and interrogations and the impact that confusing the two can have on an organization. An interview treated inappropriately as interrogation can result in legal action against the company. Interview subjects may feel as if they have been libeled or coerced. Equally important to the legal

implications, however, are the practical effects on the information-gathering goals of the interview.

Chapter H: Forensic Auditing Chapter Introduction The term “forensic” means “used in or suitable for use in court.” In other words, forensic auditing is the application of auditing skills to gather evidence that may be used in a court of law for a criminal or civil matter.

Topic 1: Demonstrate an Understanding of Forensic Auditing Techniques (Level A) When an internal audit uncovers reasonable and sufficient evidence that fraud has been committed, the internal auditor summarizes this evidence in a report for the chief audit executive. The executive will determine if the evidence and the scope of the fraud merit further investigation for possible criminal or civil prosecution. The internal auditing activity will then assemble an appropriate fraud audit team whose members include specialists in forensic auditing.

Fraud audit team As suggested by Standard 1210.A2, while the internal auditor must be able to identify the indicators of fraud, he or she is not expected to have the special skills required to gather evidence and establish facts that will be admitted into court and will be effective in securing convictions or favorable judgments. This expertise belongs to a group of individuals who comprise the fraud audit team. A fraud team may include a ACFE-certified fraud examiner, security investigators, human resources personnel, legal counsel, and outside consultants (e.g., surveillance or computer experts). Depending on whether senior management is suspected of involvement in the fraud, the team may or may not include members of senior management. If external service providers are used, the CAE should ensure that a work agreement clearly describes the scope of work, expectations and limitations, and deliverables.

Required skills and expertise By necessity, forensic auditing requires not only understanding of accounting standards and practices but also familiarity with the practices and policies in the business activity being audited and expertise in investigative techniques and the rules and standards of legal proceedings. Forensic auditors must be able to both gather evidence and present it in court in a convincing manner. The evidence they present must follow the rules of evidence established for the court in which the case is presented—whether it is at a federal/national or local level, whether it is a civil or criminal proceeding. They must be able to ensure that evidence is not lost or destroyed by the perpetrator or mishandled in some way so that it will no longer be considered reliable in court.

As with any area of specialization, the more experience professionals gather while doing their jobs, the more adept and intuitive they become. Their intuition is based on a personal mental database of examples of fraud indicators and cover-up techniques they have seen before. They are especially skilled in piecing together the story of a fraud—from establishing motivation and opportunity to describing how the fraud was perpetrated and tracking each step of the fraudulent activity to its final outcome. Organizing this detailed and often technical data into a wellsupported story that is easy to follow will be essential in court. Forensic auditors are thus skilled in identifying the gaps in their stories and following trails to find the missing information. In addition to their investigative and legal responsibilities, forensic auditors may also be used by corporations proactively as consultants. Their experience equips them to identify potential weaknesses in controls that can be exploited by perpetrators of fraud. The process used to conduct a fraud audit is described in more detail in Topic 8 of Section I, Chapter C.

Computers as sources of evidence It is perhaps obvious that an organization’s information system or computers can provide much valuable data that may be analyzed independently or compared with other types of information, which could include paper-based receipts, logs, invoices, or work orders; information from interviews; and information gathered through observation of the area or function. It will be important for the auditor to remember the less obvious sources of information on a computer or information system, such as: • Word-processed documents (e.g., correspondence that can corroborate an action like writing off an uncollected debt or lost shipment). • Customer lists. (These might be useful in identifying fictional or inactive accounts that are being used to conceal theft.) • E-mail logs. (These might reveal, for example, extensive communication with a customer that is uncharacteristic of the work situation.) • Financial records. (These will yield data that can be further analyzed for irregularities.) • Scheduling systems or logs. (These can be used to identify irregular contacts or activities or to demonstrate false claims for expense or time reimbursements.) • Operations logs. (For example, pilfering of waste or diversion of company property might be identified by comparing expected levels of waste or use with actual data.) • Personnel records. (Personnel records can point to various red flags. For example, employees may not have been screened completely or properly. An employee’s employment record may reveal a history of brief tenures at jobs that afforded opportunity for fraud.) • Computer-stored voice mail. (These records may suggest instances of theft of intellectual property.) • Internet history reports. (These may provide evidence related to activities such as harassment or hate crimes.)

It will be critical for auditors to be aware of applicable data privacy practices, policies, and restrictions before reviewing correspondence and items on personal computers. Organizations should also be aware of the rules of evidence in the countries in which they operate. These rules may require the retention of data for specified periods and the ability to search stored data. They may also dictate how evidence may be handled and what is admissible in court. Computer forensics is an investigative discipline that includes the preservation, identification, extraction, and documentation of computer hardware and data for evidentiary purposes and root cause analysis. Computer forensic technology and software packages are available to assist in the investigation of fraud—where computers are used to facilitate the fraud—or to identify red flags of potential fraud. Examples of computer forensic activities include: • Recovering deleted e-mails. • Monitoring e-mails for indicators of potential fraud. • Performing investigations after terminations of employment. • Recovering evidence after formatting a hard drive. The challenge of using computers as a source of evidence is maintaining the integrity of the evidence while, at the same time, investigating what is on the computer in question. Since accessing anything on a computer may inadvertently change significant access dates in files, investigators generally begin by isolating the computer under investigation and making a digital copy of the computer’s hard drive. The original is stored in a secure location to maintain the pristine, untouched condition that is required of evidence—termed the “chain of evidence.” Investigation and analysis is conducted on the copy, including searching hidden folders and unallocated disk space for deleted, encrypted, or damaged files. Computer forensic activities help establish and maintain a continuing chain of custody, which is critical in determining admissibility of evidence in courts. Although the CAE and internal auditors are not expected to be experts in this area, the CAE should have a general understanding of the benefits this technology provides so that he or she may engage appropriate experts, as necessary, for assisting with a fraud investigation.

Bibliography The following references were used in the development of The IIA’s CIA Learning System. Please note that all Web site references were valid as of March 2013. American Institute of Certified Public Accountants. “Management Antifraud Programs and Controls.” New York: American Institute of Certified Public Accountants, Inc., 2002. “Analyze Every Transaction in the Fight Against Fraud: Using Technology for Effective Fraud Detection.” ACL Services Ltd., 2008, www.adfor.it/DOWNLOAD/whitepaper/index.asp. Apostolou, Barbara. Sampling: A Guide for Internal Auditors. Altamonte Springs, Florida: The Institute of Internal Auditors, 2004. “AS (Australian Standard) 3806—2006 Compliance Program, infostore.saiglobal.com/store/details.aspx?ProductID=304437. “AS/NZS ISO 31000:2009, “Risk Management—Principles and Guidelines.” Standards Australia/Standards New Zealand, sherq.org/31000.pdf. “Assessing the Adequacy of Risk Management Using ISO 31000” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2010. Audit Committee Effectiveness—What Works Best, third edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2005. “The Audit Committee: Purpose, Process, Professionalism.” The Institute of Internal Auditors, www.theiia.org/download.cfm?file=6676. “Auditing External Business Relationships” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2009. “Auditing Privacy Risks” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2012. “Auditing Techniques” course. Altamonte Springs, Florida: The Institute of Internal Auditors. “Auditing the Control Environment” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2011. Baker, Sunny. The Complete Idiot’s Guide to Business Statistics. Indianapolis, Indiana: Alpha, 2002. Baxter, Ralph. “The Role of Spreadsheets in Today’s Corporate Climate.” ITAudit, Vol. 9, December 2006. Bluman, Allan G. Probability Demystified. New York: McGraw-Hill, 2005. Bologna, G. Jack, et al. The Accountant’s Handbook of Fraud and Commercial Crime. New York: John Wiley and Sons, 1993. Breon, Michael A. and Randall F. Stellwag. “Soft Skills to Improve Internal Audit Results.” www.theiia.org/chapters/pubdocs/88/InternalAuditSoftSkills.pdf. “Building a Strategic Internal Audit Function.” PricewaterhouseCoopers, 2009,

www.pwc.be/en/systems-process-assurance/pwc-strategic-internal-audit.pdf. Coenen, Tracy L. “The Fraud Files: The True Cost of Fraud.” Wisconsin Law Journal, May 24, 2006. Committee of Sponsoring Organizations of the Treadway Commission (COSO), www.coso.org. Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management —Integrated Framework. Jersey City, New Jersey: American Institute of Certified Public Accountants, 2004. Committee of Sponsoring Organizations of the Treadway Commission. Guidance on Monitoring Internal Control Systems. Jersey City, New Jersey: American Institute of Certified Public Accountants, 2009. Committee of Sponsoring Organizations of the Treadway Commission. Internal Control—Integrated Framework. Jersey City, New Jersey: American Institute of Certified Public Accountants, 1994. Committee of Sponsoring Organizations of the Treadway Commission. Internal Control Over Financial Reporting—Guidance for Smaller Public Companies. Jersey City, New Jersey: American Institute of Certified Public Accountants, 2006. “Coordinating Risk Management and Assurance” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2012. “Corporate Governance: A Practical Guide.” London Stock Exchange, 2004, www.ecgi.org/codes/code.php?code_id=118. Corporate Governance and the Board—What Works Best. Altamonte Springs, Florida: The Institute of Internal Auditors, 2000. “Corporate Governance Principles and Recommendations with 2010 Amendments.” ASX Corporate Governance Council, www.asxgroup.com.au/media/PDFs/cg_principles_recommendations_ with_2010_amendments.pdf. Culter, Sally F. Continuous Auditing: An Operational Model for Auditors. Altamonte Springs, Florida: The Institute of Internal Auditors, 2005. Dalal, Chetan. “Foiled by Nanoscience.” ITAudit, April 1, 2005. “Developing the Internal Audit Strategic Plan” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2012. Directory of Software Products for Internal Auditors. Altamonte Springs, Florida: The Institute of Internal Auditors, 2010. “Effective Writing for Auditors.” Altamonte Springs, Florida: The Institute of Internal Auditors. “Enhancing Board Oversight.” COSO, March 2012, www.coso.org/documents/COSOEnhancingBoardOversight_r8_Web-ready%20(2).pdf. “Formulating and Expressing Internal Audit Opinions” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2009. Fraud Examiners Manual, 2003 edition. Austin, Texas: Association of Certified Fraud Examiners,

2003. Frigo, Mark L. A Balanced Scorecard Framework for Internal Auditing Departments. Altamonte Springs, Florida: The Institute of Internal Auditors Research Foundation, 2002. Galloway, David. Internal Auditing: A Guide for the New Auditor, second edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2002. Global Technology Audit Guides (GTAG). Altamonte Springs, Florida: The Institute of Internal Auditors. • GTAG 1: “Information Technology Controls,” 2005. • GTAG 3: “Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment,” 2005. • GTAG 11: “Developing the IT Audit Plan,” 2008. Glover, Hubert D., and James C. Flag. Effective Fraud Detection and Prevention Techniques Practice Set. Altamonte Springs, Florida: The Institute of Internal Auditors, 1993. Goldsmith, Jim. “Using Audit Tools, Part 1, Audit Software Packages.” ITAudit, August 14, 1999. “Government Auditing Standards (The Yellow Book).” US Government Accountability Office (GAO), www.gao.gov/govaud/ybk01.htm. Gray, Glen L. Changing Internal Audit Practices in the New Paradigm: The Sarbanes-Oxley Environment. Altamonte Springs, Florida: The Institute of Internal Auditors, 2004. Guide to the Assessment of IT Risk (GAIT). Altamonte Springs, Florida: The Institute of Internal Auditors. Hargraves, Kim, Susan B. Lione, Kerry L. Shackelford, and Peter C. Tilton. Privacy: Assessing the Risk. Altamonte Springs, Florida: The Institute of Internal Auditors, 2003. Heizer, Jay, and Barry Render. Principles of Operations Management, fourth edition. Upper Saddle River, New Jersey: Prentice-Hall, 2001. “How to Get Action on Audit Recommendations.” Washington, D.C.: United States General Accounting Office, July 1991. Hubbard, Larry. Control Self-Assessment: A Practical Guide. Altamonte Springs, Florida: The Institute of Internal Auditors, 2000. Hutton, David W. The Change Agents’ Handbook. Milwaukee, Wisconsin: ASQ Quality Press, 1994. Improving Business Processes. Boston, Massachusetts: Harvard Business School Press, 2010. The Institute of Internal Auditors, www.theiia.org. “Integrated Auditing” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2012. “Interaction with the Board” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2011. “Internal Auditing and Fraud” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of

Internal Auditors, 2009. “Internal Auditor Competency Framework.” The Institute of Internal Auditors, www.theiia.org/guidance/additional-resources/competency-framework-for-internal-auditors. International Professional Practices Framework. Altamonte Springs, Florida: The Institute of Internal Auditors. ISO 31000—“Risk Management.” ISO, www.iso.org/iso/home/standards/iso31000.htm. Jerskey, Pamela. “Automated Workpapers Made Easy.” Lanza, Richard B. Proactively Detecting Occupational Fraud Using Computer Audit Reports. Altamonte Springs, Florida: The Institute of Internal Auditors Research Foundation, 2004. “The Laws That Govern the Securities Industry—Sarbanes-Oxley Act of 2002.” Securities and Exchange Commission, www.sec.gov/about/laws.shtml. “Managing the Business Risk of Fraud, A Practical Guide.” The Institute of Internal Auditors, the American Institute of Certified Public Accountants, and the Association of Certified Fraud Examiners, 2008, www.theiia.org/media/files/fraud-white-paper/fraud%20paper.pdf. Marcella, Albert J., Jr. “Preparing for the Digital Records Storm: ESI, the Law, and Corporate Vigilance.” Unpublished manuscript. Marks, Norman. “Auditing Governance Processes.” Internal Audtior (Ia), February 2012. McNamee, David. Business Risk Assessment. Altamonte Springs, Florida: The Institute of Internal Auditors, 2005. “Measuring Internal Audit Effectiveness and Efficiency” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2010. Nigrini, Mark. “I’ve Got Your Number: How a Mathematical Phenomenon Can Help CPAs Uncover Fraud and Other Irregularities.” Journal of Accountancy, May 1999. O’Gara, John. Corporate Fraud: Case Studies in Detection and Prevention. Hoboken, New Jersey: John Wiley and Sons, 2004. Organizational Governance: Guidance for Internal Auditors. Altamonte Springs, Florida: The Institute of Internal Auditors, 2006. (As of February 2010, this publication is suppressed.) “Organizational Guidelines.” United States Sentencing Commission, www.ussc.gov/Guidelines/Organizational_Guidelines/index.cfm. Public Company Accounting Oversight Board, www.pcaob.org. Quality Assessment Manual, fifth edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2006. “Quality Assurance and Improvement Program” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2012. Reding, Kurt F., Paul J. Sobel, Urton L. Anderson, Michael J. Head, Sridhar Ramamoorti, Mark Salamasick, and Cris Riddle. Internal Auditing: Assurance and Consulting Services, second edition. Altamonte Springs, Florida: The Institute of Internal Auditors Research Foundation, 2009.

“Report to the Nations on Occupational Fraud and Abuse, 2012 Global Fraud Study.” Association of Certified Fraud Examiners, www.acfe.com/uploadedFiles/ACFE_Website/Content/rttn/2012-reportto-nations.pdf “Revised Guidance for Directors on the Combined Code.” Financial Reporting Council, www.ecgi.org/codes/documents/frc_ic.pdf. “Risk Assessment in Practice.” COSO, October 2012, www.coso.org/documents/COSOAnncsOnlineSurvy2GainInpt4Updt2IntrnlCntrlIntgratdFrmwrk%20%20for%20merge_files/COSOERM%20Risk%20Assessment%20inPractice%20Thought%20Paper%20OCtober%202012.pdf. “The Role of Internal Auditing in Enterprise-Wide Risk Management.” The Institute of Internal Auditors, 2009, www.theiia.org/download.cfm?file=62465. Sawyer, Lawrence B., Mortimer A. Dittenhofer, and James H. Scheiner. Sawyer’s Internal Auditing, fifth edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2005. Sayana, S. Anantha, “Using CAATs to Support IS Audit,” Information Systems Audit and Control Association, www.isaca.org/Journal/Past-Issues/2003/Volume-1/Pages/Using-CAATS-to-SupportIS-Audit.aspx. “Skills for the New Internal Auditor” seminar. Altamonte Springs, Florida: The Institute of Internal Auditors, 2007. Sobel, Paul. “Internal Auditing’s Role in Risk Management.” March 2011, www.theiia.org/bookstore/product/internal-auditings-role-in-risk-management-1561.cfm “Tools and Techniques for the Beginning Auditor” seminar. Altamonte Springs, Florida: The Institute of Internal Auditors, 2007. Warren, J. Donald Jr., and Xenia Ley Parker. Continuous Auditing: Potential for Internal Auditors. Altamonte Springs, Florida: The Institute of Internal Auditors Research Foundation, 2003. Whitley, Jody. “Taking the Leap: Using Audit Software in Gaming Audit Shops.” The Institute of Internal Auditors, February 15, 2005. Woelfel, Charles J. Financial Statement Analysis. New York: McGraw-Hill, 1994. Yau, Woon-Foong. “Embedded Audit Modules in Enterprise Resource Planning Systems: Implementation and Functionality.” Journal of Information Systems, September 22, 2005. Zhang, Charles. “The Art of Coordination.” Internal Auditor, April 1998.